AEPD (Spain) - EXP202202937

From GDPRhub
AEPD - EXP202202937
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 12 GDPR
Article 17 GDPR
Article 15 GDPR
Type: Complaint
Outcome: Upheld
Started: 08.02.2022
Decided: 26.08.2022
Published: 26.08.2022
Fine: n/a
National Case Number/Name: EXP202202937
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: mgrd

The Spanish DPA notified a bank as a controller, ABANCA, for not replying to a data subject's exercise right, violating Article 12 GDPR.

English Summary


On February 8, 2022 the data subject complaint in AEPD against ABANCA CORPORACIÓN BANCARIA, S.A. due to not responding to an access request.

The data subject also approached LEXER, the credit recovery company for ABANCA, requesting for an immediate cessation of telephone harassment, mail, letters to the data subject requesting money recovery.

LEXER answered that regarding the debt with ABANCA, the communications were sent to the data subject since they provide a service of money recovery for ABANCA and they would immediately stop the processing.

LEXER stated that the first complaint made by the data subject was not considered as an exercise right since the data subject did not specify any of the rights in data protection laws.

ABANCA attributed the failure to immediately address the data subject's request to an internal error at LEXER, which did not communicate the request for data suppression to ABANCA in a timely manner.


AEPD highlighted that the controller must reply to the exercise of rights by the data subject within 30 days, exempt in cases which it cannot identify the data subject and it shall justify the reasons, as per Article 12(3) GDPR.

AEPD stated that, with the documentation provided, the data subject exercised the right of deletion of his data and that LEXER did not forward the request to the ABANCA. In additional, ABANCA, after being aware of the request via the procedure at hand, denied the request claiming existing contractual relations in force, which included debts, thus justifying their refusal to erase the complainant's data.

AEPD decided to formally notify ABANCA for the exercise of right by the data subject, without any further proceedings, since ABANCA later replied to the data subject.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


     File No.: EXP202202937

                          RESOLUTION NO.: R/00818/2022

Considering the claim made on February 8, 2022 before this Agency by D.
A.A.A. against ABANCA CORPORACIÓN BANCARIA, S.A. (hereinafter, the part
claimed), because their right to deletion has not been duly attended to.

The procedural actions provided for in Title VIII of the Law have been carried out
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD), the following have been verified


FIRST: D. A.A.A. (hereinafter, the complaining party), submitted a document to
ABANCA CORPORACIÓN BANCARIA, S.A. (hereinafter, the claimed party, or
Abanca) indicating that the data contained in the CIRBE File is erroneous, and
requesting “(…) agree to the rectification of the statements corresponding to the

appearing at the CIRBE, canceling my data and deregistering me
all legally established effects (…)”

Likewise, the claimant addressed LEXER requesting “(…) that they order the termination
immediate harassment by telephone, email, letters,... to me for the demand of

any type of collection, both on me and on possible third parties

This entity answers you, regarding the communications that have been sent to you by a
debt with Abanca, “(…) that our organization only provides a
recovery on account of the Abanca entity, as Data Processor

of personal data according to the definition of article 33 of Organic Law 3/2018

However, we would like to inform you that we will proceed to immediately paralyze the procedures.
associated with your file, in a preventive manner, until what happened is clarified.”

SECOND: In accordance with article 65.4 of the LOPDGDD, which has provided for a
mechanism prior to the admission for processing of claims made before
the AEPD, consisting of transferring them to the Data Protection Delegates
designated by those responsible or in charge of the treatment, for the intended purposes
in article 37 of the aforementioned norm, or to these when they have not been designated,

transferred the claim to the two entities so that they could proceed with their analysis
and respond to the complaining party and this Agency within a period of one month.

    - The representation of Lexer Servicios Integrales de Recovery S.L.U.,
       formerly called Cobralia Servicios Integrales de Recovery S:L:

       noted that the first claim received was not considered a
       exercise of rights given that the claimant did not specify any of the

C/ Jorge Juan, 6
28001 – Madrid 2/8

       rights of data protection regulations, requested the “cessation of
       communications”, “harassment” and “claiming debts”.

       "Notwithstanding the above, and given that LSIR processed the claimant's data in
       quality of data processor, in accordance with our procedures
       internally, that same day, 01/27/2022, we informed the person responsible for the
       treatment, to obtain instructions for action on your part. Once
       received, that same day, the confirmation of the suspension of efforts by
       of the person responsible, LSIR proceeded to said stoppage, with the

       corresponding marking in the management program.

       On 02/14/2022, due to an internal error, of an exceptional nature, that
       has already been resolved, the contact details of the complainant were reactivated, which
       which caused the claims service to begin again

       of debt by LSIR.

       That same day, an email is received from the claimant, apparently with the
       same content as the claim received from you on 01/27/2022, therefore
       that at that time, as happened with the claim of 01/27/2022,
       It was not processed as an exercise of rights by the claimant.

       However, currently and due to the request for information received
       on the part of the AEPD, we have been able to show that said communication did
       included the request for the right of deletion. In this sense, from LSIR
       have put in place all the necessary steps to process said

       right, transferring the request to the person responsible for the treatment.”

       Provide a copy of the response sent to the claimant, dated April 27,
       2022, informing you that your request has been transferred to the person responsible for the

    - There is no record that this Agency has received any response from

THIRD: The result of the transfer procedure indicated in the previous Fact does not
allowed the claims of the complaining party to be understood as satisfied. In

consequently, dated May 8, 2022, for the purposes provided for in its article
64.2 of the LOPDGDD, the Director of the Spanish Data Protection Agency
agreed to admit the claim presented for processing and the parties were informed that the
maximum period to resolve this procedure, which is understood to have been initiated
through said admission agreement for processing, it will be six months.

The aforementioned agreement granted Abanca a hearing process, so that within the period
within fifteen business days to present the allegations it deems appropriate. Bliss
entity stated, in summary, that “(…) the claimant maintains contractual relations
active with the entity derived from the subscription of different products and/or services

financial positions, maintaining, at the date of filing said claim,
debtors with the entity. Likewise, it is confirmed that Abanca commissioned the company
Lexer the management for the collection of the debt of Mr. (…); acting accordingly

C/ Jorge Juan, 6
28001 – Madrid 3/8

Lexer in its capacity as Data Processor of Abanca's data
is responsible for the treatment.”

It indicates that Lexer responded to the claimant, after his request of February 1, 2022, and
following the instructions sent by Abanca in relation to your file,
informing you of the suspension of the procedures associated with it.

Notwithstanding the above, due to an internal error by Lexer, it was not transferred to Abanca
the new request to cease communications related to the management of your debt

and the exercise of the right to deletion of their data presented by the claimant, which
which makes it impossible for Abanca to give a timely response to the interested party, in addition to
a breach of the obligations stipulated in the commissioning contract
treatment signed between Abanca and Lexer.

Due to the transfer of the claim made by this Agency, Lexer put in
knowledge of Abanca's receipt of the claimant's deletion exercise.

For this reason, and after the corresponding investigations, Abanca responded to the
complainant indicating that “(…) it is not possible to attend to your request since
currently maintains active positions with the Entity. (…) To proceed with the downgrade

of your personal data in this entity, it is necessary that you previously proceed to
cancel their positions” by providing a copy of the letter sent.

FOURTH: Once the allegations presented by the defendant have been examined, they are the subject of
transfer to the complaining party, so that, within a period of fifteen business days, it can formulate

allegations that it considers appropriate, without the response being recorded in this Agency

                           FOUNDATIONS OF LAW

FIRST: The Director of the Spanish Agency for
Data Protection, in accordance with the provisions of section 2 of article 56 in
in relation to section 1 f) of article 57, both of Regulation (EU) 2016/679 of the
European Parliament and of the Council of April 27, 2016 regarding the protection of
natural persons with regard to the processing of personal data and the free
circulation of this data (hereinafter referred to as GDPR); and in article 47 of the LOPDGDD.

SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency
Spanish Data Protection Agency is competent to perform the functions that
are assigned to it in its article 57, among them, to enforce the Regulation and
promote awareness of data controllers and those in charge of processing

about their obligations, as well as dealing with claims
presented by an interested party and investigate the reason for them.

Correlatively, article 31 of the RGPD establishes the obligation of those responsible
and those in charge of processing to cooperate with the supervisory authority that requests it in

the performance of their functions. In the event that they have designated a
data protection officer, article 39 of the RGPD attributes to him the function of
cooperate with said authority.

C/ Jorge Juan, 6
28001 – Madrid 4/8

Likewise, the domestic legal system, in article 65.4 of the LOPDGDD, has
provided for a mechanism prior to the admission for processing of claims that are
formulate before the Spanish Data Protection Agency, which consists of giving

transfer of the same to the data protection delegates designated by the
responsible or in charge of the treatment, for the purposes provided for in article 37 of
the aforementioned norm, or to these when they have not been designated, to proceed to the
analysis of said claims and to respond to them within a period of one month.

In accordance with this regulation, prior to the admission for processing of the

claim that gives rise to this procedure, it was transferred to the
responsible entity to proceed with its analysis, provide a response to this Agency
within a period of one month and proves that it has provided the claimant with the appropriate response,
in the event of exercise of the rights regulated in articles 15 to 22 of the

The result of said transfer did not allow the claims of the
complaining party. Consequently, on May 8, 2022, for the purposes
provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for
Data Protection agreed to accept the claim presented for processing. Saying
admission agreement for processing determines the opening of this procedure

lack of attention to a request to exercise the rights established in the
articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the

"1. When the procedure refers exclusively to the lack of attention of a

request to exercise the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679, will begin by agreement of admission to processing, which will be
will be adopted in accordance with the provisions of the following article.
In this case, the period to resolve the procedure will be six months from
from the date on which the claimant was notified of the admission agreement to

Procedure. After this period, the interested party may consider his

It is not considered appropriate to clarify administrative responsibilities within the framework
of a sanctioning procedure, the exceptional nature of which implies that it is opted,
whenever possible, due to the prevalence of alternative mechanisms that have

protection in current regulations.

It is the exclusive responsibility of this Agency to assess whether there are responsibilities
administrative actions that must be purged in a sanctioning procedure and, in
consequently, the decision on its opening, there being no obligation to initiate a

procedure for any request made by a third party. Such a decision must
be based on the existence of elements that justify said start of the activity
sanctioning, circumstances that do not occur in the present case, considering that
With this procedure, the guarantees are duly restored and
rights of the claimant.

THIRD: The rights of people regarding data protection
personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the

C/ Jorge Juan, 6
28001 – Madrid 5/8

LOPDGDD. The rights of access, rectification, deletion,
opposition, right to limitation of processing and right to portability.

The formal aspects related to the exercise of these rights are established in the
articles 12 of the RGPD and 12 of the LOPDGDD.

Furthermore, what is expressed in Considering 59 and following of the

In accordance with the provisions of these regulations, the person responsible for the treatment
must arbitrate formulas and mechanisms to facilitate the interested party in the exercise of their rights.
rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3
of the RGPD), and is obliged to respond to requests made no later than a
month, unless you can demonstrate that you are not in a position to identify the

interested, and to express his reasons in case he was not going to attend said
application. It falls on the person responsible to prove compliance with the duty of
respond to the request to exercise their rights made by the affected party.

The communication addressed to the interested party on the occasion of their request must
be expressed in a concise, transparent, intelligible and easily accessible manner, with a

clear and simple language.

In the case of the right of access to personal data, in accordance with the
established in article 13 of the LOPDGDD, when the exercise of the right is
refers to a large amount of data, the person responsible may request the affected person to

specify the “data or processing activities to which the request refers”. He
The right will be deemed granted if the person responsible provides remote access to the data,
considering the request has been attended to (although the interested party may request the information
referring to the extremes provided for in article 15 of the RGPD).

The exercise of this right may be considered repetitive on more than one occasion.
during the period of six months, unless there is legitimate cause for it.

On the other hand, the request will be considered excessive when the affected party chooses a means
different from the one offered that entails a disproportionate cost, which must be
assumed by the affected person.

FOURTH: Article 17 of the RGPD, which regulates the right to deletion of data
personal, establishes the following:

"1. The interested party will have the right to obtain without undue delay from the person responsible for the

processing the deletion of personal data that concerns you, which will be
obliged to delete personal data without undue delay when any
of the following circumstances:

a) the personal data are no longer necessary in relation to the purposes for which they were

were collected or otherwise treated;
b) the interested party withdraws the consent on which the treatment is based in accordance
with Article 6(1)(a) or Article 9(2)(a) and this is not
based on another legal basis;

C/ Jorge Juan, 6
28001 – Madrid 6/8

c) the data subject objects to the processing in accordance with Article 21(1) and does not
other legitimate reasons for the processing prevail, or the interested party opposes the
treatment pursuant to Article 21(2);

d) the personal data have been processed unlawfully;
e) personal data must be deleted for compliance with a legal obligation
established in the law of the Union or of the Member States that applies to the
responsible for the treatment;
f) the personal data have been obtained in relation to the offer of services of the
information society mentioned in Article 8, paragraph 1.

2. When you have made personal data public and are obliged, by virtue of the
provided in section 1, to delete said data, the data controller,
taking into account the available technology and the cost of its application, it will adopt
reasonable measures, including technical measures, with a view to informing

responsible parties who are processing the personal data of the interested party's request for
deletion of any link to that personal data, or any copy or replication of
the same.

3. Sections 1 and 2 will not apply when treatment is necessary:
a) to exercise the right to freedom of expression and information;

b) for compliance with a legal obligation that requires data processing
imposed by Union or Member State law applicable to the
responsible for the treatment, or for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the person responsible;
c) for reasons of public interest in the field of public health in accordance with

Article 9, paragraph 2, letters h) and i), and paragraph 3;
d) for archival purposes in the public interest, scientific or historical research purposes or
statistical purposes, in accordance with Article 89(1), to the extent that
the right indicated in paragraph 1 could make it impossible or hinder
seriously the achievement of the objectives of said treatment, or

e) for the formulation, exercise or defense of claims.”

FIFTH: Article 4 of the GDPR, Definitions, establishes that

“For the purposes of this Regulation it will be understood as:


8) "processor" or "processor": the natural or legal person, authority
public, service or other body that processes personal data on behalf of the
responsible for the treatment;


Article 28 of the GDPR, Data Processor, provides that

1. When treatment is to be carried out on behalf of a person responsible for the
treatment, this will only choose a manager who offers sufficient guarantees
to apply appropriate technical and organizational measures, so that the

C/ Jorge Juan, 6
28001 – Madrid 7/8

treatment complies with the requirements of this Regulation and ensures the
protection of the rights of the interested party.

2. (…)

3. The treatment by the processor will be governed by a contract or other legal act with
under the law of the Union or of the Member States, binding the person in charge
regarding the person responsible and establishes the object, duration, nature and
purpose of the processing, the type of personal data and categories of interested parties, and the

obligations and rights of the person responsible. Said contract or legal act will stipulate, in
particular, that the person in charge:

       a) will process personal data only following instructions
       documented data from the controller, including with respect to transfers of

       personal data to a third country or an international organization, unless
       is obliged to do so under Union or State law
       members that applies to the manager; In this case, the person in charge will inform the
       responsible for that legal requirement prior to treatment, unless such Right
       prohibits it for important reasons of public interest;

       b) will ensure that the persons authorized to process personal data are
       have agreed to respect confidentiality or are subject to a
       confidentiality obligation of a statutory nature;

       c) take all necessary measures in accordance with article 32;

       d) will respect the conditions indicated in sections 2 and 4 to resort to
       another processor;

       e) will assist the person responsible, taking into account the nature of the treatment, to

       through appropriate technical and organizational measures, whenever it is
       possible, so that it can fulfill its obligation to respond to the
       requests that have as their object the exercise of the rights of
       interested parties established in chapter III;

       f) will help the person responsible to ensure compliance with obligations

       established in articles 32 to 36, taking into account the nature of the
       treatment and information available to the person in charge;

       g) at the discretion of the controller, delete or return all personal data
       once the provision of the treatment services ends, and will delete the

       Existing copies unless retention of data is required
       personal under Union or Member State law;

       h) will make available to the person responsible all the information necessary to
       demonstrate compliance with the obligations established herein

       article, as well as to allow and contribute to the performance of audits,
       including inspections, by the responsible person or another authorized auditor
       by said person in charge.

C/ Jorge Juan, 6
28001 – Madrid 8/8

In relation to the provisions of letter h) of the first paragraph, the person in charge will inform
immediately to the controller if, in your opinion, an instruction violates this

Regulation or other data protection provisions of the Union or
the member states.

4. (…)"

SIXTH: In the present case, from the analysis of the documentation provided, it has
It has been proven that the claimant requested the right to delete their data
personal and that the person in charge of treatment did not transfer said request to the
responsible for the treatment, Abanca, to process it.

However, upon becoming aware of it through this procedure, Abanca
has proceeded to respond to the claimant denying the requested deletion as there is
current contractual relationships.

Consequently, the claim must be upheld for formal reasons.

Considering the aforementioned precepts and others of general application,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: ESTIMATE for formal reasons, the claim made by Mr. A.A.A.,

issuance of new certification by said entity, having issued the
response extemporaneously, without requiring the performance of actions
additional information from the person responsible.

SECOND: NOTIFY this resolution to D. A.A.A. and ABANCA

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with article 48.6
of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to

count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the

day following the notification of this act, as provided for in article 46.1 of the
referred Law.

Sea Spain Martí
Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6
28001 – Madrid